[WASC-WAFEC] WAFEC v2 Step 1

Johanne Ulloa julloa at denyall.com
Thu Feb 10 09:35:20 EST 2011


Hello there,

Maybe we can start to determine on which criteria we have to focus.
If we considerate that the WAFEC is a tool to evaluate WAFs and if one assumes that a WAF is a security device, it seems that we have to focus on the security level that can by provided by the WAF. So, security should be the first criteria.

Of course, a WAF is able to provide more added values such as :

 - Acceleration
 - Authentication
 - Authorization
 - SSO
 - Visibility (debugging/reporting/monitoring)
 - Architecture design improvement 
 
After that, some other criteria such as:

- deployment mode
- easiness to administrate
- scalability and high availability

The second thing is to determine the method to evaluate criterias.
For example, regarding the security part, WASC-ID could be used. For each ID, to provide a method to test the WAF capacity to block or mitigate attacks related to the threat.

Regards


-----Message d'origine-----
De : wasc-wafec-bounces at lists.webappsec.org [mailto:wasc-wafec-bounces at lists.webappsec.org] De la part de robert at webappsec.org
Envoyé : mercredi 9 février 2011 23:59
À : Ivan Ristic
Cc : wasc-wafec at lists.webappsec.org
Objet : Re: [WASC-WAFEC] WAFEC v2 Step 1

> I am not so sure we should start by reviewing WAFECv1. We should let it res=
> t
> for a little while longer. It's much better to discuss the common WAF use
> cases, and from that deduce how to formulate a criteria that would help
> users determine if the products they are evaluating are suitable for the us=
> e
> cases they wish to pursue.


I agree. After building out these use cases then see what is and isn't in v1 and create
the new sections/update the old ones.

Regards,
- Robert Auger
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/

> 
> For the record, my impression of WAFECv1 is that it's great for the guys
> like me, who are interested in how WAFs operate, but not as useful for
> end-users, who just want to take care of a problem they have.
> 
> In addition, I have some questions:
> 
> - What is content switching
> - What DoS aspects of HTML5?
> 
> On Wed, Feb 9, 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <
> Thorsten.Wujek at stein-edv.de> wrote:
> 
> > Hi,
> >
> >
> >
> > Thanks to everybody for showing so much interest in evolving WAFEC v2.
> >
> >
> >
> > Today I would like to present the first, initial step of our project. Aft=
> er
> > that I or my brother will be able to provide a detailed schedule and goal
> > definition as well as how the communication will be organized.
> >
> >
> >
> > 1.)    I would like to name those, who have confirmed their participation
> > explicitly on the WASC / WAFEC Website. If you do not want that, please l=
> et
> > me know, otherwise I take silence as an =E2=80=9COK=E2=80=9D.
> >
> > 2.)    As stated in the first mail, there should be a review of WAFEC v1
> > and it would be great, if you could start with your or your customers
> > experiences regarding the use of WAFEC v1.
> > Let me be the one starting the discussion in short words:
> >
> > i.)           There are a lot off criteria regarding content switching,
> > which is irritating if you speak about WAF
> > ii.)          With the new Dos aspects of HTML 5 we should sharpen WAFEC
> > criteria regarding that issue
> > iii.)         WAFEC should give customers or consultants the ability to
> > judge positive or negative techniques as well as training, at the moment =
> it
> > is just showing capabilities
> >
> > iv.)         The actual version is not helpful if you want to evaluate
> > management or administrative capabilities
> >
> >
> >
> > These are my 5 cent
> >
> > 3.)    Last but not least there should be an overall confirmation if the
> > suggested topics should be discussed in this project completely and how
> > these points should be prioritized.
> >
> >
> >
> > Awaiting your comments.
> >
> >
> >
> > Thorsten
> >
> >
> >
> >
> > Mit freundlichen Gr=C3=BC=C3=9Fen
> > STEIN-IT GmbH
> > Thorsten Wujek
> > technischer Gesch=C3=A4ftsf=C3=BChrer
> > technical CEO
> >
> > *MCT,MCA,MASE,CITA-P***
> >
> >
> >
> >
> > Neckarstra=C3=9Fe 4. 45768 Marl
> > Fon +49 23 65 . 92 44 - 31
> > Fax +49 23 65 . 92 44 - 44
> >
> > www.stein-edv.de
> > www.sony-repair.de
> > Thorsten.Wujek at stein-edv.de <thorsten.wujek at stein-edv.de>
> >
> >
> >
> >
> > Ust.-Idnr.:  DE 814703466
> > Steuer-Nr.: 359 5786 0059
> >
> > Amtsgericht Gelsenkirchen, HRB 8639
> > Sitz und Gerichtsstand Marl
> >
> > Gesch=C3=A4ftsf=C3=BChrer:
> > Joachim Matzek, Thorsten Wujek
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > wasc-wafec mailing list
> > wasc-wafec at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.or=
> g
> >
> >
> 
> 
> --=20
> Ivan Risti=C4=87
> 
> --0016e64651485dda0d049be05ecf
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> I am not so sure we should start by reviewing WAFECv1. We should let it res=
> t for a little while longer. It's much better to discuss the common WAF=
>  use cases, and from that deduce how to formulate a criteria that would hel=
> p users determine if the products they are evaluating are suitable for the =
> use cases they wish to pursue.<br>
> <br>For the record, my impression of WAFECv1 is that it's great for the=
>  guys like me, who are interested in how WAFs operate, but not as useful fo=
> r end-users, who just want to take care of a problem they have.<br><br>
> In addition, I have some questions:<br><br>- What is content switching<br>-=
>  What DoS aspects of HTML5?<br><br><div class=3D"gmail_quote">On Wed, Feb 9=
> , 2011 at 9:28 PM, Wujek Thorsten [STEIN-IT GmbH] <span dir=3D"ltr"><<a =
> href=3D"mailto:Thorsten.Wujek at stein-edv.de">Thorsten.Wujek at stein-edv.de</a>=
> ></span> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
> r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div link=3D"blue=
> " vlink=3D"purple" lang=3D"DE"><div><p class=3D"MsoNormal">Hi,</p><p class=
> =3D"MsoNormal">
> =C2=A0</p><p class=3D"MsoNormal"><span style=3D"font-size: 10.5pt;" lang=3D=
> "EN-US">Thanks to everybody for showing so much interest in evolving WAFEC =
> v2.</span><span lang=3D"EN-US"></span></p><p class=3D"MsoNormal"><span lang=
> =3D"EN-US">=C2=A0</span></p>
> <p class=3D"MsoNormal"><span lang=3D"EN-US">Today I would like to present t=
> he first, initial step of our project. After that I or my brother will be a=
> ble to provide a detailed schedule and goal definition as well as how the c=
> ommunication will be organized.</span></p>
> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=
> =3D"EN-US"><span>1.)<span style=3D"font: 7pt "Times New Roman";">=
> =C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">I would like t=
> o name those, who have confirmed their participation explicitly on the WASC=
>  / WAFEC Website. If you do not want that, please let me know, otherwise I =
> take silence as an =E2=80=9COK=E2=80=9D.</span></p>
> <p><span lang=3D"EN-US"><span>2.)<span style=3D"font: 7pt "Times New R=
> oman";">=C2=A0=C2=A0=C2=A0 </span></span></span><span lang=3D"EN-US">A=
> s stated in the first mail, there should be a review of WAFEC v1 and it wou=
> ld be great, if you could start with your or your customers experiences reg=
> arding the use of WAFEC v1.<br>
> Let me be the one starting the discussion in short words:<br><br>i.)=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 There are a lot off =
> criteria regarding content switching, which is irritating if you speak abou=
> t WAF<br>ii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 With th=
> e new Dos aspects of HTML 5 we should sharpen WAFEC criteria regarding that=
>  issue<br>
> iii.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WAFEC should give cus=
> tomers or consultants the ability to judge positive or negative techniques =
> as well as training, at the moment it is just showing capabilities</span></=
> p><p><span lang=3D"EN-US">iv.)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
> =A0 The actual version is not helpful if you want to evaluate management or=
>  administrative capabilities</span></p>
> <p><span lang=3D"EN-US">=C2=A0</span></p><p><span lang=3D"EN-US">These are =
> my 5 cent <br><br></span></p><p><span lang=3D"EN-US"><span>3.)<span style=
> =3D"font: 7pt "Times New Roman";">=C2=A0=C2=A0=C2=A0 </span></spa=
> n></span><span lang=3D"EN-US">Last but not least there should be an overall=
>  confirmation if the suggested topics should be discussed in this project c=
> ompletely and how these points should be prioritized.</span></p>
> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"Ms=
> oNormal"><span lang=3D"EN-US">Awaiting your comments.</span></p><p class=3D=
> "MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><p class=3D"MsoNormal"><s=
> pan lang=3D"EN-US">Thorsten</span></p>
> <p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=A0</span></p><table style=
> =3D"width: 412.5pt; border-collapse: collapse;" width=3D"550" border=3D"0" =
> cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><td style=3D"width: 187.5pt;=
>  padding: 0cm;" valign=3D"top" width=3D"250">
> <p class=3D"MsoNormal"><span><br></span><span style=3D"font-size: 8pt;">Mit=
>  freundlichen Gr=C3=BC=C3=9Fen<br>STEIN-IT GmbH<br><span style=3D"color: rg=
> b(204, 0, 0);">Thorsten Wujek</span><br>technischer Gesch=C3=A4ftsf=C3=BChr=
> er<br>technical CEO</span><span style=3D"font-size: 8pt;"></span></p>
> </td><td style=3D"width: 240pt; padding: 0cm;" valign=3D"top" width=3D"320"=
> ></td></tr><tr><td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><b><span =
> lang=3D"EN-US">MCT,MCA,MASE,CITA-P</span></b><b><span lang=3D"EN-US"></span=
> ></b></p></td>
> <td style=3D"padding: 0cm;"><p class=3D"MsoNormal"><span lang=3D"EN-US">=C2=
> =A0</span></p></td></tr><tr><td style=3D"padding: 0cm;" valign=3D"top"><p c=
> lass=3D"MsoNormal"><span lang=3D"EN-US"><br></span><span style=3D"font-size=
> : 8pt;">Neckarstra=C3=9Fe=C2=A04.=C2=A045768=C2=A0Marl<br>
> Fon=C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A031<br>Fax=
> =C2=A0+49=C2=A023=C2=A065=C2=A0.=C2=A092=C2=A044=C2=A0-=C2=A044</span><span=
> ></span></p></td><td style=3D"padding: 0cm;" valign=3D"bottom"><p class=3D"=
> MsoNormal"><span><a href=3D"http://www.stein-edv.de/" target=3D"_blank"><sp=
> an style=3D"font-size: 8pt; color: black; text-decoration: none;">www.stein=
> -edv.de</span></a><br>
> <a href=3D"http://www.sony-repair.de/" target=3D"_blank"><span style=3D"fon=
> t-size: 8pt; color: black; text-decoration: none;">www.sony-repair.de</span=
> ></a><br><a href=3D"mailto:thorsten.wujek at stein-edv.de" target=3D"_blank"><=
> span style=3D"font-size: 8pt; color: rgb(204, 0, 0); text-decoration: none;=
> ">Thorsten.Wujek at stein-edv.de</span></a></span><span></span></p>
> </td></tr><tr><td colspan=3D"2" style=3D"padding: 0cm;"><p class=3D"MsoNorm=
> al"><span><br>=C2=A0</span><span></span></p><table style=3D"width: 100%;" w=
> idth=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0"><tbody><tr><=
> td style=3D"padding: 0cm;" valign=3D"top">
> <p class=3D"MsoNormal"><span style=3D"font-size: 7pt;">Ust.-Idnr.: =C2=A0DE=
>  814703466<br>Steuer-Nr.: 359 5786 0059</span><span></span></p></td><td sty=
> le=3D"padding: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"f=
> ont-size: 7pt;">Amtsgericht Gelsenkirchen, HRB 8639<br>
> Sitz und Gerichtsstand Marl</span><span></span></p></td><td style=3D"paddin=
> g: 0cm;" valign=3D"top"><p class=3D"MsoNormal"><span style=3D"font-size: 7p=
> t;">Gesch=C3=A4ftsf=C3=BChrer:<br>Joachim Matzek, Thorsten Wujek</span><spa=
> n></span></p></td>
> </tr></tbody></table></td></tr></tbody></table><p class=3D"MsoNormal"><span=
> >=C2=A0</span></p><p class=3D"MsoNormal"><span>=C2=A0</span></p><p class=3D=
> "MsoNormal">=C2=A0</p></div></div><br>_____________________________________=
> __________<br>
> wasc-wafec mailing list<br>
> <a href=3D"mailto:wasc-wafec at lists.webappsec.org">wasc-wafec at lists.webappse=
> c.org</a><br>
> <a href=3D"http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.web=
> appsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/listinfo/w=
> asc-wafec_lists.webappsec.org</a><br>
> <br></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Risti=C4=87<br=
> ><br>
> 
> --0016e64651485dda0d049be05ecf--
> 
> 
> --===============8326212383344298205==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> wasc-wafec mailing list
> wasc-wafec at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org
> 
> --===============8326212383344298205==--
> 


_______________________________________________
wasc-wafec mailing list
wasc-wafec at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/wasc-wafec_lists.webappsec.org




More information about the wasc-wafec mailing list